Considering to introduce release candidates
by Stian Thorgersen
Lately we've been following a pretty aggressive release schedule with a new
Final released every 4 to 6 weeks. We want to continue having frequent
releases, but at the same time it would be good to give people the
opportunity to test things out in advance of a release.
I propose we continue doing releases every 4-6 weeks, but instead of going
straight to Final we'll release a CR1. If there are no high priority issues
reported against within a week we'll release the Final. Otherwise we'll
release CR2, but this time reduce the wait to roughly half a week before
releasing Final (or CR3).
We would not support migrating between CR releases as they are purely
targeted towards testing. These releases should only be used in
staging/test environments. Ideally with a copy of the production database.
Basically that would mean that upgrading from 1.6.0.Final to 1.7.0.CR1 and
then upgrading to 1.7.0.Final would not work. You would have to upgrade
directly from 1.6.0.Final to 1.7.0.Final.
I'd like to ask the community is this something that would be beneficial?
Would you actually play with and test release candidates, or would you
simply wait for the Final to be released?
9 years, 1 month
Unified login for existing applications
by Joseph Djomeda
Hi Community,
Thanks for all the amazing features list I have read about this product and
that is truly exciting.Kudos for pulling down all that. I am new to the
world of SSO and so on but I am doing my home work catching up.
I have a problem and I am wondering whether keycloak is the solution. We
have 5 different applications each using etiher apache shiro or spring
security for authentication. Those using shiro have different hashing
algorithm and different number of iterations. We are about to launch new
products each with their own authentication so we were like why not go
google model.
here are few questions I would like to ask those of you actively using
keycloak.
- Can I build an application with keycloak embedded in it where keycloak
provides identity based on some logic that we will put in the parent
application. Logic like how to merge all products mentioned earlier?
- Supposing no work is needed and everything I mentioned is supported
can keycloak allow relooking/branding of UI such a way it's inline with
most of UI directions we have for all our existing products?
- Can I use keycloak to not only provide SSO for our own applications
but also make that keycloak become and ID provider (likes of openID etc )
for other applicaitons that we don't own?
Thanks for reading my questions and I hope I will be able to learn from all
of you
Best Regards,
--
Joseph Kodjo-Kuma Djomeda
check out my pains at : www.mycodingpains.com
We become what we think about ourselves........
9 years, 1 month
KEYCLOAK-1735 - possible to recategorise it as an urgent bug not enhancement?
by David Illsley
Hi all,
KEYCLOAK-1735 describes that users with the 'manage-users' can role can
self-assign 'manage-realm', and gain substantial extra privileges.
This behaviour came as a substantial surprise to me when I discovered it,
and I suspect there are users out there who have vulnerabilities due to
this unexpected behaviour.
KEYCLOAK-1735 is currently marked as an enhancement, and while I can see
that it might be substantial work to change this behaviour, I think it
should be a priority to make the behaviour clear to users - probably
through documentation, and possibly through renaming the role so that its
expansive powers are clear.
Is this a possibility? What's the best way to get this to happen?
Thanks,
David
9 years, 1 month
Securing the Wildfly management console with Keycloak
by Matthew Casperson
Is it possible to use KeyCloak to restrict access to the Wildfly web
administration console? It would be handy to be able to treat the web admin
console like any other administrator web site that might be protected with
a Keycloak realm rather than manage mgmt-users.properties files
individually.
--
*Matthew Casperson*
*Senior Front End Developer*
Technology, Space & Distribution
Auto & General Holdings Pty Ltd
P: 07) 3377 8751 (Direct: 3377 8751)
F: 07) 3377 8833
--
This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright.
It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised.
If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.
9 years, 1 month
Exception loading Keycloak modules in Wildfly 9.0
by Vijay Bhadriraju
I am getting the following exception after unzipping the
keycloak-wildfly-adapter-dist-1.1.0.Final.zip into the WildFly 9.0 server
and configuring the standalone.xml file with the following lines as
described in the keycloak documentation. I have tried this with Wildfly
10.0 version also and get the same error.
<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
...
</extensions>
<profile>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
...
</profile>
How do I resolve this keycloak module loading exception?
11:35:36,018 ERROR [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0055: Caught exce
ption during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085: Failed to parse configuration
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
tionPersister.java:131) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
at org.jboss.as.server.ServerService.boot(ServerService.java:356)
[wildfly-server-
2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerServi
ce.java:299) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to
load module org.key
cloak.keycloak-adapter-subsystem
at
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
155) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.j
ava:220) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:14
3) [wildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:69)
[w
ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:47)
[w
ildfly-server-2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
[staxm
apper-1.2.0.Final.jar:1.2.0.Final]
at
org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
[staxma
pper-1.2.0.Final.jar:1.2.0.Final]
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigura
tionPersister.java:123) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
... 3 more
Caused by: java.util.concurrent.ExecutionException:
javax.xml.stream.XMLStreamException: W
FLYCTL0083: Failed to load module
at java.util.concurrent.FutureTask.report(Unknown Source)
[rt.jar:1.8.0_65]
at java.util.concurrent.FutureTask.get(Unknown Source)
[rt.jar:1.8.0_65]
at
org.jboss.as.controller.parsing.ExtensionXml.parseExtensions(ExtensionXml.java:
147) [wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
... 10 more
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to
load module
at
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:196)
[wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.as.controller.parsing.ExtensionXml.access$000(ExtensionXml.java:69)
[
wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:127)
[wil
dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
at
org.jboss.as.controller.parsing.ExtensionXml$1.call(ExtensionXml.java:124)
[wil
dfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
at java.util.concurrent.FutureTask.run(Unknown Source)
[rt.jar:1.8.0_65]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
Source) [rt.jar:1.8.0
_65]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source) [rt.jar:1.8.
0_65]
at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_65]
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
[jboss-threads-2.2.1.Fi
nal.jar:2.2.1.Final]
Caused by: org.jboss.modules.ModuleNotFoundException:
org.keycloak.keycloak-adapter-subsys
tem:main
at
org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:236)
[jboss-modules
.jar:1.4.4.Final]
at
org.jboss.as.controller.parsing.ExtensionXml.loadModule(ExtensionXml.java:178)
[wildfly-controller-2.0.0.CR7.jar:2.0.0.CR7]
... 8 more
Regards, Vijay
9 years, 1 month
Mapper for External Identity provider
by Akanksha Mishra
Hi,
While configuring Keycloak as SP with ADFS 2.0 as external IDP, the user
authentication fails in my app's backend after passing the credentials in
ADFS login page.
On investigating, Found out that the Username of the external user is
stored by his email address in Keycloak-Users while the username is
configured as "LDAP entry dn" for internal users in keycloak.
I wish to get the DN of this external user in the username field. Do we
need to configure a mapper for the same?
9 years, 1 month
Adding custom Error Messages from federation provider
by alex orl
Hi to all,i need to handle some use-cases in which custom messages should be rised up to the login user interface. I saw keycloak themes offer messages_xx.properties for that, but my real need is to send new messages dealing with not handled specific cases up from my user federation provider implementation.Thanks a lot.
9 years, 1 month
Brute force protector and service accounts/Login actions URI
by Benjamin Hansmann [alphaApps]
Hi,
great to see rapid progress on keycloak and regular releases with new
features added.
I am on Keycloak 1.4.0 and have two questions regarding 2 recently added
features:
- The service accounts introduced in 1.5.0 and the possibility to
autenticate them with certificates in 1.6.0 is a great feature. I am
asking myself if these will be excluded from the brute force protection
mechanism. I would like to use a service account in my app when a user
is not logged in (which is now just a regular account). If this account
will be subject to get locked out after a few consecutive failed login
attempts, all users will not be able to use the features which do not
require an active user session but rely on the service account. So
someone could deliberately lock the service account.
- I was having trouble with keycloak-services
(Urls.java:loginActionsBase): I have a rest web service which also acts
as a keycloak facade for registration, reset password, resend
verification email etc... From within my web service I use the keycloak
admin-client to e.g. trigger a reset-password-email or registration. The
problem was that emails sent by keycloak then contained links referring
to localhost:8080 because my web service contacts keycloak locally on
the server. I worked around this issue by patching the loginActionsBase
methdo in Urls.java to replace hostname, scheme and port of the returned
URI. This seemed ugly to me and I am asking if the feature "Added root
URL to clients" in the just released 1.6.0 version makes this workaround
obsolete?
Best regards,
Benjamin
9 years, 1 month
Changing url in reset-password emails
by Fabio Monteiro
Hi,
We use keycloak API rest to send email password reset to users. But we would need to change the host part of the url used in the email link presented to users in the email sent to them.
Is there an easy way to do so, you guys know??
This is quite critical right now for our app so any help would be MUCH appreciated. THANKS A LOT
Fabio Monteiro
9 years, 1 month